Skip to content

Commit 708d099

Browse files
committed
[Change] changelog: dedup v2.0.2 entries per /r-util-chg-dedup
[Change] changelog: reorder v2.0.2 sections to v2.0.1 convention (New Features / Changes / Bug Fixes); rename "Fixes" to "Bug Fixes" for section-name parity [Change] changelog: fold hookscan validation-reorder [Change] into the hookscan audit-trail [New] entry — the reorder is implementation detail of the feature, not a standalone change [Change] changelog: fold alert_lib 1.0.7 -> 1.0.8 [Change] into the telegram [Fix] entry — the lib bump IS the fix delivery mechanism [Change] changelog: drop 33-file header-sweep [Change] — copyright/banner housekeeping, not user-facing
1 parent 00d68aa commit 708d099

2 files changed

Lines changed: 28 additions & 37 deletions

File tree

CHANGELOG

Lines changed: 16 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -1,42 +1,37 @@
11
v2.0.2 | May 12 2026:
22

3-
-- Fixes --
4-
5-
[Fix] quarantine: symlink TOCTOU guards across scan-to-quarantine
6-
(_batch_quarantine pre-filter + per-file, _quarantine_file, quar_hitlist
7-
callers), restore (_validate_restore_path), and clean-failure
8-
re-quarantine (clean); SECURITY-FINDINGS P2-1 + P3-6 deferred from 2.0.1
9-
[Fix] alert: telegram delivery failed on MarkdownV2 reserved characters in
10-
substituted token values; wired escape_mode in _alert_tpl_render
11-
(alert_lib 1.0.8) and mirrored in _lmd_render_entries; affects
12-
--test-alert {scan,digest} telegram and real telegram alerts; issue #487
13-
143
-- New Features --
154

165
[New] hookscan: audit-trail coverage for pre-scan validation decisions —
176
filename rejection (non_printable, metachar, traversal, relative_path),
187
homedir-restriction violation, scan timeout, and scan error now emit
198
pattern_matched/error_occurred/hook_timeout/hook_failed events to
20-
audit.log with mode= and reason= extras; closes G-04 (single-file
21-
path) from docs/specs/2026-03-24-audit-log-coverage-assessment.md
9+
audit.log with mode= and reason= extras (filename validation reordered
10+
to run after elog_lib sourcing so rejection events reach audit.log);
11+
closes G-04 single-file path from
12+
docs/specs/2026-03-24-audit-log-coverage-assessment.md
2213
[New] hookscan: BATS coverage for ftp mode (pure-ftpd CallUploadScript)
2314
including UPLOAD_VUSER env-var auto-detect and explicit-ftp-overrides;
2415
ftp mode is logger-only on stdout (fire-and-forget per pure-uploadscript
2516
contract); docs/specs/2026-03-23-hookscan-improvement-proposal.md §3b
2617

2718
-- Changes --
2819

29-
[Change] hookscan: filename validation block reordered to run after
30-
elog_lib sourcing so rejection events reach audit.log; rejection
31-
path semantics unchanged (still bails before any scan work)
3220
[Change] release: version bump 2.0.1 -> 2.0.2
33-
[Change] headers: sweep 33 source files (sub-libs, hookscan.sh, uninstall.sh,
34-
cron.daily, service files, clean scripts) to v2.0.2 banner — parent
35-
CLAUDE.md "All version/copyright headers must stay in sync"
3621
[Change] ignore_inotify.defaults: add Dovecot doveconf tempfiles
3722
(/tmp/doveconf., /var/tmp/doveconf.) — Plesk mail subsystem; issue #488
38-
[Change] alert_lib: vendored 1.0.7 -> 1.0.8 (escape_mode + skip_tokens in
39-
_alert_tpl_render)
23+
24+
-- Bug Fixes --
25+
26+
[Fix] quarantine: symlink TOCTOU guards across scan-to-quarantine
27+
(_batch_quarantine pre-filter + per-file, _quarantine_file, quar_hitlist
28+
callers), restore (_validate_restore_path), and clean-failure
29+
re-quarantine (clean); SECURITY-FINDINGS P2-1 + P3-6 deferred from 2.0.1
30+
[Fix] alert: telegram delivery failed on MarkdownV2 reserved characters in
31+
substituted token values; wired escape_mode + skip_tokens in
32+
_alert_tpl_render (vendored alert_lib 1.0.7 -> 1.0.8) and mirrored in
33+
_lmd_render_entries; affects --test-alert {scan,digest} telegram and
34+
real telegram alerts; issue #487
4035

4136
v2.0.1 | Mar 25 2026:
4237

CHANGELOG.RELEASE

Lines changed: 12 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -1,16 +1,5 @@
11
v2.0.2 | May 12 2026:
22

3-
-- Fixes --
4-
5-
[Fix] quarantine: symlink TOCTOU guards across scan-to-quarantine
6-
(_batch_quarantine pre-filter + per-file, _quarantine_file, quar_hitlist
7-
callers), restore (_validate_restore_path), and clean-failure
8-
re-quarantine (clean); SECURITY-FINDINGS P2-1 + P3-6 deferred from 2.0.1
9-
[Fix] alert: telegram delivery failed on MarkdownV2 reserved characters in
10-
substituted token values; wired escape_mode in _alert_tpl_render
11-
(alert_lib 1.0.8) and mirrored in _lmd_render_entries; affects
12-
--test-alert {scan,digest} telegram and real telegram alerts; issue #487
13-
143
-- New Features --
154

165
[New] hookscan: audit-trail coverage for pre-scan validation rejections
@@ -21,14 +10,21 @@ v2.0.2 | May 12 2026:
2110

2211
-- Changes --
2312

24-
[Change] hookscan: validation reordered to run after elog_lib source so
25-
rejection events reach audit.log
2613
[Change] release: version bump 2.0.1 -> 2.0.2
27-
[Change] headers: sweep 33 source files to v2.0.2 banner — header sync hygiene
2814
[Change] ignore_inotify.defaults: add Dovecot doveconf tempfiles
2915
(/tmp/doveconf., /var/tmp/doveconf.) — Plesk mail subsystem; issue #488
30-
[Change] alert_lib: vendored 1.0.7 -> 1.0.8 (escape_mode + skip_tokens in
31-
_alert_tpl_render)
16+
17+
-- Bug Fixes --
18+
19+
[Fix] quarantine: symlink TOCTOU guards across scan-to-quarantine
20+
(_batch_quarantine pre-filter + per-file, _quarantine_file, quar_hitlist
21+
callers), restore (_validate_restore_path), and clean-failure
22+
re-quarantine (clean); SECURITY-FINDINGS P2-1 + P3-6 deferred from 2.0.1
23+
[Fix] alert: telegram delivery failed on MarkdownV2 reserved characters in
24+
substituted token values; wired escape_mode in _alert_tpl_render
25+
(vendored alert_lib 1.0.7 -> 1.0.8) and mirrored in _lmd_render_entries;
26+
affects --test-alert {scan,digest} telegram and real telegram alerts;
27+
issue #487
3228

3329
v2.0.1 | Mar 25 2026:
3430

0 commit comments

Comments
 (0)